Chris Mark in July 2014 of TransactionWorld (Proximate Reality)

Latest TW Article

Global Security, Privacy, & Risk Management

july coverJuly’s issue of TransactionWorld Magazine was just released.  Click here to read my latest article, “Understanding Proximate Reality to Improve Security”  Here is a preview..

“Various reports are published annually that analyze data breaches, opine on the root causes of the data theft and frequently ascribe blame to one party or another. It always invites scrutiny when a well-known security firm or analyst makes a definitive statement such as “X% of breaches could have been prevented through the implementation of basic controls, such as patching.” 

This position is not only inconsistent with accepted risk management practices, but also confuses the basic concepts of correlation and causation while ignoring the very human element of adaptation. Unfortunately, companies that subscribe to these simplistic views of the industry and threats are exposing themselves to very real dangers. As supported by the increasing number of breaches identified each year, information security is no longer a…

View original post 68 more words

Posted in Uncategorized | Leave a comment

Understanding Deterrence & Crime Prevention

Reblog from GlobalRiskInfo

Global Security, Privacy, & Risk Management

punishmentThis following an excerpt from the 2012 research brief titled “Failed State of Security; A Rational Analysis of Deterrence Theory and Cybercrime.”  I was recently provided a blog post by an ‘expert’ in which the author was again blaming the victim of a data breach while chiding companies for believing that they should not expect law enforcement to be there when you need them.  The author misses a major purpose of the criminal justice system; Deterrence of criminal behavior.  I late 2013 a US Senator stood in front of a Target store and blamed Target for their data breach.  Interestingly, this senator did not state that the US should redouble efforts to deter cybercrime through more effective laws or more aggressive law enforcement actions.   Until the laws and criminal justice system can begin to deter such behavior, cybercrime will continue to plague data industries.  So what is deterrence?

An…

View original post 2,256 more words

Posted in Uncategorized | Leave a comment

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify?

Global Security, Privacy, & Risk Management

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not…

View original post 300 more words

Posted in Uncategorized | Leave a comment

Offensive Cyber Attacks – A Dangerous Proposition

Global Security, Privacy, & Risk Management

iStock_000000499912Large 2Let me preface this by saying I have been outspoken about passive cyber defensive strategies and their failure.  You can read my paper: “Failed State of Security” to learn more.  On that note, Foxnews had a story today that had me scratching my head.  The recommendations were pedestrian at best, and dangerous in the most severe cases.  In short the article suggests that companies should take a more ‘offensive approach’ to preventing cyber attacks.  Some of the recommendations include:

“Misinformation campaigns” such as planting fake documents and data for criminals to steal.   As stated in the article: “One such strategy involves creating a disinformation campaign by distributing  fake documents throughout a company’s own network to confuse and potentially  misguide potential adversaries.”  Companies today have a difficult time managing their own ‘real’ documents.  This approach is inefficient, and bound to cause confusion among employees.  How do you differentiate between the “real”…

View original post 293 more words

Posted in Uncategorized | Leave a comment

”Active Responses” to CyberAttacks are Losing Propositions

Global Security, Privacy, & Risk Management

“Everyone has a plan until the’ve been hit” – Joe Lewis

PiratePicGRIHaving spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.

As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers.  This is frequently referred to as ‘hacking back’ or ‘offensive hacking’.  Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’.   On May 28th, 2013 there was an online discussion in which an author of the upcoming book:

View original post 1,391 more words

Posted in Security Concepts | Tagged , , , , , , , | Leave a comment

SC Magazine; The Need and the Challenge to Define Security

Read the entire article in Feb, 2014 edition of SC Magazine

0214-lw-chris-mark_532981“While used every day, the term “security” can be deceptively difficult to define and may contain various meanings to different people in divergent contexts. The industry at large seems to have adopted a stance of “I know it when I see it,” as opposed to objectively defining the concept. Unfortunately, this creates numerous problems for those who have a need to ‘secure’ data, or any other asset.

For more than two decades, I have served in a number of security functions, and have found it curious that in each industry or domain few, if any, people were able to provide a clear definition of the term ‘security’. Many could describe the concept and list characteristics, but nobody could provide an actual definition that could be used to objectively measure whether a building, system, person, or other asset was or was not secure. ” Read The Rest of the Article Here

Posted in Security Concepts | Tagged , , , , , , | Leave a comment

Security 101; Security, Exploits & Vulnerabilities

Originally posted on GlobalRiskInfo February, 2012.

In light of the recent disclosures of breaches of major security technologies and vendors, I felt compelled to write this post.  One of my favorite subjects to debate (and argue over) is security theory in general, and specifically the topics of vulnerabilities & exploits.  They are concepts that are critical in the fields of information security, risk management and other areas of security.  In truth, the concepts extend beyond IS but they are very common in the IS World and easier, in my opinion, to discuss in the context of IS.  So what are exploits & vulnerabilities and why are they important?

First, we need to understand that there is no “guaranteed security” and security can never be 100% as there are always vulnerabilities which can be exploited. We may not have identified them yet, but they do exist.   Given enough time, effort, and the right tools, any security control can be circumvented.  Security should be viewed as a function of time and effort. (this will be discussed below)  Second it is important to understand that the concepts of exploits and vulnerabilities are inextricably entwined and are mutually dependent. This is where the debate begins so first lets get a working definition of the terms. Continue reading

Posted in Security Concepts | Tagged , , , , , | Leave a comment